Copilot Studio compliance offerings

  • Article

Important

Power Virtual Agents capabilities and features are now part of Microsoft Copilot Studio following significant investments in generative AI and enhanced integrations across Microsoft Copilot.

Some articles and screenshots may refer to Power Virtual Agents while we update documentation and training content.

Copilot Studio is a Core Online Service, as defined in the Online Services Terms (OST), and is compliant with or covered by:

  • Health Insurance Portability and Accountability Act (HIPAA) coverage
  • Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)
  • Federal Risk and Authorization Management Program (FedRAMP)
  • System and Organization Controls (SOC)
  • Various International Organization for Standardization (ISO) certifications
  • Payment Card Industry (PCI) Data Security Standard (DSS)
  • The Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)
  • United Kingdom Government Cloud (G-Cloud)
  • Outsourced Service Provider's Audit Report (OSPAR)
  • Korea-Information Security Management System (K-ISMS)
  • Singapore Multi-Tier Cloud Security (MTCS) Level 3
  • Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures

Health Insurance Portability and Accountability Act (HIPAA) coverage

HIPAA is a United States healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—that have access to patients' protected health information (PHI), in addition to business associates—such as cloud service and IT providers—that process PHI on their behalf.

Microsoft Copilot Studio is covered under the Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA).

You can create copilots that handle protected health information when your organization is bound by HIPAA, as in the following scenarios where the copilot can:

  • Ask individuals to provide their health information (blood pressure, weight, and so on).
  • Capture health information and personally identifying information, such as the customer's IP address or email address.

Note

Although Copilot Studio is covered under HIPAA, it still isn't intended for use as a medical device. See the disclaimer on the intended use of Copilot Studio and medical devices.

Learn more about HIPAA.

Health Information Trust Alliance (HITRUST)

HITRUST is an organization governed by representatives from the healthcare industry.

HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance consistently.

The CSF builds on HIPAA and the HITECH Act, which are US healthcare laws that have established requirements for the use, disclosure, and safeguarding of individually identifiable health information and enforce non-compliance.

HITRUST provides a benchmark—a standardized compliance framework, assessment, and certification process—against which cloud service providers and covered health entities can measure compliance.

Learn more about HITRUST.

Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA) and to accelerate the adoption of secure cloud solutions by federal agencies.

Microsoft's government cloud services meet the requirements of FedRAMP.

By deploying protected services including Azure Government, Office 365 US Government, and Dynamics 365 Government, federal and defense agencies can use a rich array of compliant services.

Learn more about FedRAMP.

SOC compliance

SOC is a method for assuring control regulation within a service. Microsoft Copilot Studio has been audited to be compliant with SOC.

SOC audit reports are available from the Microsoft Service Trust Portal.

Learn more about SOC.

ISO compliance

Microsoft Copilot Studio is compliant with the ISO standards listed in the following table. Audit reports for each are available from the Microsoft Service Trust Portal.

Standard Name of report and certificate Link to standard (www.iso.org)
ISO 9001:2015 Microsoft Azure, Dynamics 365, and Other Online Service - ISO9001 Certificate and Assessment Report ISO 9001:2015
ISO 20000-1:2011 Microsoft Azure, Dynamics 365, and Other Online Service - ISO20000-1 Certificate and Assessment Report ISO/IEC 20000-1:2011
ISO 22301:2012 Microsoft Azure, Dynamics 365, and Other Online Service - ISO20000-1 Certificate and Assessment Report ISO/IEC 22301:2012
ISO 27001:2013 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001 and 27701 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27001:2013
ISO 27017:2015 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27017 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27017:2015
ISO 27018:2019 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27018 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27018:2019
ISO 27701:2019 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27701 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27701:2019

Payment Card Industry (PCI) Data Security Standard (DSS)

The Payment Card Industry (PCI) Data Security Standards (DSS) form a global information security standard designed to prevent fraud through increased control of credit card data.

Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands:

  • Visa
  • MasterCard
  • American Express
  • Discover
  • Japan Credit Bureau (JCB).

Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and card-holder data.

Learn more about PCI DSS.

The Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)

From the CSA STAR website:

  • The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

    The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.

Microsoft Copilot Studio has been audited to be compliant with CSA STAR.

Learn more about CSA STAR.

United Kingdom Government Cloud (G-Cloud)

Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing.

G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store, the Digital Marketplace. These enable public-sector organizations to compare and procure those services without having to do their own full review process.

Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.

Learn more about G-Cloud.

Outsourced Service Provider's Audit Report (OSPAR)

The OSPAR framework was established by the Association of Banks in Singapore (ABS), which formulated IT security guidelines for outsourced service providers (OSPs) that seek to provide services to Singapore's financial institutions. The ABS Guidelines are intended to assist financial institutions in understanding approaches to due diligence, vendor management, and key technical and organizational controls that should be implemented in cloud outsourcing arrangements, particularly for material workloads.

Microsoft Copilot Studio has OSPAR attestation.

Learn more about the ABS OSPR.

Korea-Information Security Management System (K-ISMS)

K-ISMS is a country/region-specific ISMS framework that defines a stringent set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets.

Learn more about ISMS (Korea).

Singapore Multi-Tier Cloud Security (MTCS) Level 3

The MTCS Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore (IDA).

The ITSC promotes and facilitates national programs to standardize IT and communications, and Singapore's participation in international standardization activities.

Learn more about MTCS.

Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures

In 2007, the Spanish government enacted Law 11/2007, which established a legal framework to give citizens electronic access to government and public services. This law is the basis for Esquema Nacional de Seguridad (National Security Framework), which is governed by Royal Decree (RD) 3/2010.

The goal of the framework is to build trust in the provision of electronic services, and ensure the access, integrity, availability, authenticity, confidentiality, traceability, and preservation of data, information, and services.

Learn more about ENS.